[squid-users] ext_kerberos_ldap_group_acl problem
Diogenes S. Jesus
splash at gmail.com
Wed Aug 24 11:29:15 UTC 2016
Hi there.
Well, the log says "Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD'
not found in Kerberos database".
Check your krb5.conf on the squid host if you're pointing to the right KDC
and make sure the principal exists in the Kerberos database.
kadmin.local and "getprinc HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD"
should yield the same error if the principal doesn't exist.
Dio
On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai,
>
>
>
> Im having trouble to get the *ext_kerberos_ldap_group_acl working. *
>
>
>
> I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> kerberos_ldap_group_acl.html
>
>
>
> Here is what i have checked / done already.
>
>
>
> My keytab file :
>
> klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP
>
> Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP
>
> KVNO Timestamp Principal
>
> ---- ------------------- ------------------------------
> ------------------------
>
> 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
> (des-cbc-crc)
>
> 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
> (des-cbc-md5)
>
> 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
> (arcfour-hmac)
>
>
>
>
>
> The auth im using ( which is working fine )
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
> HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD \
>
> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
>
>
>
> For testing im starting on commandline the group acl:
>
> /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N
> internet-mail at NTDOMAIN -m 4 -s -i –d
>
>
>
> kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Starting version 1.3.1sq
>
> support_group.cc(382): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD
>
> support_group.cc(447): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD
>
> support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN
>
> support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN
>
> support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: ldap server list NULL
>
> support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: No ldap servers defined.
>
>
>
> when i test with the user group now.
>
>
>
> testuser internet-mail
>
>
>
> kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: INFO: Got User: testuser set default domain:
> YOUR.REALM.TLD
>
> kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD
>
> support_member.cc(63): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: User domain loop: group at domain
> internet-mail at YOUR.REALM.TLD
>
> support_member.cc(65): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: Found group at domain
> internet-mail at YOUR.REALM.TLD
>
> support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Setup Kerberos credential cache
>
> support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Set credential cache to MEMORY:squid_ldap_21722
>
> support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Get default keytab file name
>
> support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP
>
> support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP
>
> support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
>
> support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Found principal name: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initialising credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
>
> support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Found principal name: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initialising credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
>
> support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Found principal name: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initialising credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD.
>
> support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Try to get principal of trusted domain.
>
> support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initializing credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initializing credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.
> tld at YOUR.REALM.TLD
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initializing credentials from keytab : Client
> 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos
> database
>
> support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got no principal name
>
> support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error during setup of Kerberos credential cache
>
> support_member.cc(76): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: INFO: User testuser is not member of group at domain
> internet-mail at YOUR.REALM.TLD
>
> support_member.cc(91): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: Default domain loop: group at domain
> internet-mail at YOUR.REALM.TLD
>
> support_member.cc(119): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: Default group loop: group at domain
> internet-mail at YOUR.REALM.TLD
>
> ERR
>
> kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: ERR
>
>
>
>
>
> I dont see what im missing here.
>
> I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid
> 3.5.19.
>
>
>
> I did see something about kerberos and groups but i can find that post.
>
> So anyone any suggestion/tip howto debug this or why im getting “Error
> while initializing credentials from keytab”
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
--
--------
Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/d22cb276/attachment-0001.html>
More information about the squid-users
mailing list